Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for communicating IPSec tunnel packets with compressed inner headers, a tunnel header, an IPSec header, an encapsulated portion, and an authentication code, the method comprising: storing an inner IP header and an inner protocol header from an initial IPSec tunnel packet in a context sub-table at a destination tunnel device; for a subsequent IPSec tunnel packet, generating at the source tunnel device a compressed inner header from the inner protocol header of the subsequent IPSec tunnel packet; performing a operation on at least one of the compressed inner header, a payload field and a padding field of the subsequent IPSec tunnel packet to generate the encapsulated portion; replacing at least one of the inner IP header, the inner protocol header, the payload field and the padding field of the subsequent IPSec tunnel packet with the encapsulated portion to generate an IPSec tunnel packet with compressed inner headers; at the destination tunnel device, identifying a security association database entry for the tunnel using a security policy index number in the IPSec header; at the destination tunnel device, decrypting the encapsulated portion to determine at least one of the compressed inner protocol header and the padding field, the padding field including a context sub-table identifier to identifies a context sub-table associated with the security association database entry; at the destination tunnel device, retrieving at least one of the inner IP header and the inner protocol header for the subsequent IPSec tunnel packet from the context sub-table; and recreating the subsequent IPSec tunnel packet using the inner IP header and inner protocol header retrieved from the context sub-table.
2. The method as claimed in claim 1 wherein generating the compressed inner header comprises comparing the inner protocol header with an inner protocol header of a prior IPSec tunnel packet with full inner headers.
3. The method as claimed in claim 2 wherein the generating the compressed inner header comprises generating a status field to indicate fields of the inner protocol header that have changed from the prior IPSec tunnel packet.
4. The method as claimed in claim 3 further comprising updating the inner protocol header in the context sub-table based on information in the compressed inner header, and wherein replacing comprises replacing the compressed inner header with the inner IP header retrieved from the context sub-table and the updated inner protocol header to recreate the IPSec tunnel packet with full inner headers.
5. A method for communicating IPSec tunnel packets with compressed inner headers comprising: generating a compressed inner header from an inner protocol header of an IPSec tunnel packet with full inner headers; performing an operation on at least one of the compressed inner header, a payload field and a padding field of the IPSec tunnel packet to generate an encapsulated portion; replacing at least one of an inner IP header, the inner protocol header, the payload field and the padding field of the IPSec tunnel packet with the encapsulated portion to generate an IPSec tunnel packet with compressed inner headers; performing a second operation on the encapsulated portion of the IPSec tunnel packet with compressed inner headers to determine the compressed inner protocol header and the padding field, the padding field including a context sub-table identifier to identify a context sub-table; retrieving the inner IP header and the inner protocol header for the IPSec tunnel packet from the context sub-table; and recreating the IPSec tunnel packet with full inner headers using the IP header and inner protocol header retrieved from the context sub-table.
6. The method as claimed in claim 5 wherein generating the compressed inner header comprises comparing the inner protocol header with an inner protocol header of a prior IPSec tunnel packet with full inner headers.
7. The method as claimed in claim 6 wherein the IPSec data packet with full inner headers has inner headers including the inner protocol header and an inner IP header, and wherein generating the compressed inner header includes refraining from including information from the inner IP header.
8. The method as claimed in clam 6 wherein the generating the compressed inner header comprises generating a status field to indicated fields of the inner protocol header that have changed from the prior IPSec tunnel packet.
9. The method as claimed in clam 6 wherein the generating the compressed inner header comprises including a generation data field in the compressed inner header.
10. The method as claimed in clam 5 wherein performing the operation comprises performing either an encryption operation or an authentication operation on the compressed inner header, the payload field and the padding field to generate the encapsulated portion.
11. The method as claimed in claim 5 wherein performing the operation comprises adding bits to the padding field prior to performing either the encryption operation or the authentication operation.
12. The method as claimed in claim 5 wherein performing the second operation on the encapsulated portion comprises either decrypting or authenticating the encapsulated portion.
13. The method as claimed in claim 5 wherein recreating the IPSec tunnel packet with full inner headers comprises replacing the compressed inner header with the inner IP header retrieved from the context sub-table and an updated inner protocol header to recreate the IPSec tunnel packet with full inner headers, and wherein generating the compressed inner header, performing the operation, and replacing the inner IP header are performed at a source tunnel device, and wherein performing the second operation on the encapsulated portion, retrieving, and replacing the compressed inner header are performed at a destination tunnel device.
14. The method as claimed in claim 13 further comprising: sending an initial IPSec tunnel packet with full inner headers from the source tunnel device to the destination tunnel device; and storing an inner IP header and an inner protocol header of the initial IPSec tunnel packet in the context sub-table at the destination tunnel device.
15. The method as claimed in claim 14 further comprising: adding a tunnel header, an IPSec header, and an authentication code to the encapsulated portion; and sending the IPSec tunnel packet with compressed inner headers from the source tunnel device to the destination tunnel device.
16. The method as claimed in claim 5 further comprising reading a portion of a security policy index number contained in an IPSec header to determine when an IPSec tunnel packet received at a destination tunnel device has compressed inner headers.
17. The method as claimed in claim 16 wherein reading the portion of the security policy index number further comprises reading the portion of the security policy index number to determine when the IPSec packet with compressed inner headers is a TCP type packet or a non-TCP type packet.
18. The method as claimed in claim 5 further comprising reading a portion of a security policy index number contained in the IPSec header to identity a key for use in performing a security operation on the encapsulated portion of the IPSec tunnel packet with compressed inner headers.
19. The method as claimed in claim 5 further comprising reading a portion of a security policy index number contained in the IPSec header to identify a security association database entry for an IPSec tunnel between a source tunnel device and a destination tunnel device, the security association database entry identifying a key for performing a security operation on the encapsulated portion.
20. The method as claimed in claim 19 wherein the context sub-table is one of a plurality of context sub-tables associated with the security association database entry, each context sub-table of the plurality being associated with a subnet destination tunnel device beyond the destination tunnel device.
21. The method as claimed in claim 5 further comprising updating the inner protocol header stored in the context sub-table based on information in the compressed inner header, and wherein replacing comprises replacing the compressed inner header with the inner IP header retrieved from the context sub-table and the updated inner protocol header to recreate the IPSec tunnel packet with full inner headers.
22. The method as claimed in claim 5 further comprises reading a tunnel header at a destination tunnel device to determine whether the IPSec tunnel packet with compressed headers implements an encapsulating security protocol (ESP) or an authentication header (AH) protocol, and wherein the security operation includes a decryption when the ESP is implemented, and the security operation includes an authentication when the AH protocol is implemented.
23. The method as claimed in claim 22 further comprising: reading a portion of a security policy index number contained in the IPSec header to identify a security association database entry for an IPSec tunnel between the source tunnel device and the destination tunnel device, the security association database entry including a flag to indicate when the encapsulated portion is encrypted; and refraining from performing the decrypting at the destination tunnel device when the flag indicates encryption has not been performed on the encapsulated portion.
24. A tunnel device for communicating IPSec tunnel packets with compressed inner headers, the tunnel device comprising: an inner header compressor to (i) generate a compressed inner header from an inner protocol header of an IPSec tunnel packet with full inner headers that include an inner IP header, (ii) compare the inner protocol header with an inner protocol header of a prior IPSec tunnel packet with full inner headers, (iii) refrain from including information from the inner IP header, and (iv) generate a status field to indicate fields of the inner protocol header that have changed from the prior IPSec tunnel packet; a security processor to perform a security operation on the compressed inner header, a payload field and a padding field of the IPSec tunnel packet to generate an encapsulated portion; and an IP packet processor to replace an inner IP header, the inner protocol header, the payload field and the padding field of the IPSec tunnel packet with the encapsulated portion to generate an IPSec tunnel packet with compressed inner headers, wherein a second tunnel device performs a security operation on the encapsulated portion of the IPSec tunnel packet with compressed inner headers to determine the compressed inner protocol header and the padding field, the padding field including a context sub-table identifier to identify a context sub-table, retrieves the inner IP header and the inner protocol header for the IPSec tunnel packet from the context sub-table, and recreates the IPSec tunnel packet with full inner headers using the IP header and inner protocol header retrieved from the context sub-table.
25. A computer readable medium having program instructions stored thereon for performing a method of communicating IPSec tunnel packets with compressed headers when executed within a digital processing device, the method comprising: generating a compressed inner header from an inner protocol header of an IPSec tunnel packet with full inner headers that include an inner IP header, while refraining from including information from the inner IP header; comparing the inner protocol header with an inner protocol header of a prior IPSec tunnel racket with full inner headers; generating a status field to indicate fields of the inner protocol header that have changed from the prior IPSec tunnel packet; performing a security operation on the compressed inner header, a payload field and a padding field of the IPSec tunnel packet to generate an encapsulated portion; replacing an inner IP header, the inner protocol header, the payload field and the padding field of the IPSec tunnel packet with the encapsulated portion to generate an IPSec tunnel packet with compressed inner headers; performing a security operation on the encapsulated portion of the IPSec tunnel packet with compressed inner headers to determine the compressed inner protocol header and the padding field, the padding field including a context sub-table identifier to identify a context sub-table; retrieving the inner IP header and the inner protocol header for the IPSec tunnel packet from the context sub-table; and recreating the IPSec tunnel packet with full inner headers using the IP header and inner protocol header retrieved from the context sub-table.
26. The computer readable medium as claimed in claim 25 wherein recreating the IPSec tunnel packet with full inner headers comprises replacing the compressed inner header with the inner IP header retrieved from the context sub-table and an updated inner protocol header to recreate the IPSec tunnel packet with full inner headers, and wherein generating the compressed inner header, performing the security operation and replacing the inner IP header are performed at a source tunnel device, and wherein performing the security operation on the encapsulated portion, retrieving, and replacing the compressed inner header are performed at a destination tunnel device.
27. The computer readable medium as claimed in claim 26 wherein the programming instructions further comprise instructions for performing for the method which further comprise: sending an initial IPSec tunnel packet with full inner headers from the source tunnel device to the destination tunnel device; and storing an inner IP header and an inner protocol header of the initial IPSec tunnel packet in the context sub-table at the destination tunnel device.
28. The computer readable medium as claimed in claim 26 wherein the programming instructions further comprise instructions for performing the method which further comprise updating the inner protocol header in the context sub-table based on information in the compressed inner header, and wherein replacing comprises replacing the compressed inner header with the inner IP header retrieved from the context sub-table and the updated inner protocol header to recreate the IPSec tunnel packet with full inner headers.
Unknown
May 8, 2007
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.